Hi,
>>Our current Server CA certificate will expire in 2026 (when hopefully it
>>won't be my problem!).
>
>Thus the universal CA root cert lifetime policy, "the lifetime of a CA root
>certificate is the time till retirement of the person in charge at its
>creation, plus five years" :-).
This negl
"Jeffrey I. Schiller" writes:
>Our current Server CA certificate will expire in 2026 (when hopefully it
>won't be my problem!).
Thus the universal CA root cert lifetime policy, "the lifetime of a CA root
certificate is the time till retirement of the person in charge at its
creation, plus five
Nicolas Williams writes:
>This goes to show that we do need a TA distribution protocol (not for the
>web, mind you), and it needs to use PKI -- a distinct, but related PKI.
... and now you have two (probably unsolveable) problems instead of one.
In addition because the second problem virtua
"Jeffrey I. Schiller" writes:
>Because of prior experience with a SafeKeyper(tm) (a very large HSM), I
>learned that when the only copy of your key is in an HSM, the HSM vendor
>really owns you key, or at least they own you!
I thought the Safekeypers had a cloning mechanism (as do things like Ch